Explains what a privacy policy is and what it must include.
1.1 What is a privacy policy?
A privacy policy is a legal document whose purpose is to inform your users about your personal information collection and protection practices.Having a privacy policy that’s easy to find, uses clear and comprehensible language and is transparent about personal information handling practices is an excellent means for a youth enterprise to gain parental trust.
1.2 What information should a privacy policy include?
Your privacy policy should clearly lay out your practices concerning how you handle personal information (collection, tracking tools, usage, sharing, protection, storage, deletion, etc.). The challenge lies in presenting this mass of information concisely and in terms simple enough for the average consumer to read and understand.
While there is no one universal approach, your communication style must be appropriate to your audience and the nature of your platform. For youth production professionals, this could mean adapting your level of language (i.e. avoiding legal jargon) and limiting the information you provide to only what is strictly necessary (i.e. excluding superfluous information).
See our recommendations for more on what your privacy policy should contain.
1.3 Where should the privacy policy be posted?
Privacy policies are generally posted on the home page. For mobile apps, if the distribution platform allows this, you can include a link to your privacy policy on your product description page. This shows transparency, since you are enabling parents to consult your policy before downloading your app. You can also post it in a dialogue box that appears when users visit for the first time.
Regardless of the platform, the privacy policy must be easy to find: users shouldn’t have to go looking for it.
The privacy policy is a universal tool that works in tandem with parental consent for the collection of personal information. Producers must assume that the user’s consent rests on their full understanding of the information contained in the policy. Every country requires websites who collect personal information to post a privacy policy; however, the United States imposes stricter requirements as to what the policy must include.
UNITED STATES
Children’s Online Privacy Protection Act (COPPA)
Federal law to protect personal information about children collected online. COPPA applies to products that collect personal information from U.S. children aged under 13, including collection by companies based outside the U.S.
Under COPPA, your privacy policy must be clear and easy to read. The policy must feature on the home page and in each section where personal data is collected. Links to your privacy policy must be readily apparent (a link in small font at the bottom of the page is not considered “apparent”). Your policy cannot include promotional materials.
The contents of a COPPA privacy policy are divided into three main categories:
- The contact information of third parties who collect personal information through your platform
- A description of the personal information you collect and how you use it
- A description of parents’ rights and the procedures to follow to exercise these rights
For details on what to include in a COPPA privacy policy, see our recommendations.
Additional information:
Federal Trade Commission: COPPA Rule: A Six-Step Compliance Plan for Your Business
iubenda: service for generating COPPA-compliant privacy policies
CANADA, EUROPEAN UNION, FRANCE & AUSTRALIA
All of these countries require you to post a clearly intelligible privacy policy describing your personal information handling practices.
Additional information per country:
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
France: Act on Information Technology, Data Files and Civil Liberties
Commission nationale de l’informatique et des libertés (CNIL), Rights and Obligations
European Union: Directive on Privacy and Electronic Communications
European Union Agency for Fundamental Rights, Handbook on European Data Protection Law
Australia: Privacy Act
Office of the Australian Information Commissioner: Privacy law reform
Apple App Store
Apple requires apps in the Kids Category to display a privacy policy that complies with applicable local children’s privacy laws.
Amazon Appstore
If you and/or any third party plug-ins or services you use collect personal information, you must provide legally adequate privacy notices.
Google Play
Google asks you to publish a disclosure informing users what information the app would like to access and how such information will be used.
Ensure that users are aware of this by putting your disclosure in a prominent place. Display your disclosure in an End User License Agreement (EULA) so that the user can provide their consent at first launch. The disclosure should be clear and succinct and displayed in a modal window that asks the user to consent to the terms before using the app.
- The privacy policy is a legal document: consult a professional to ensure that your policy adequately covers your platform.
- The privacy policy must cover the following:
- Your company’s contact information
- A description of the types of data collected and the methods used to collect them (e.g. children’s information, use of cookies, etc.)
- The reasons why you collect information
- How the information will be applied (e.g. used to inform contest winners)
- How the information will be safeguarded
- How long you intend to store the information
- Practices from which the user can withdraw (e.g. behavioural advertising
- For data shared with third parties:
- Type of business or service (e.g. web analytics)
- The third party’s use of the data gathered
- *COPPA policies must also include:
- A complete list of all third parties who collect personal information through your platform, including contact information (address, telephone number, email)
- A description of parents’ rights and the procedures to follow to exercise them. These rights stipulate that:
- The child will not be asked to provide more data than is reasonably required to participate in an activity.
- Parents can consult the data collected on their child, ask to have them deleted and refuse future collection.
- Parents can agree to have their child’s data collected and used but withhold their consent to have the information shared with third parties.
- Find ways of inciting the user to consult your policy. For example, use illustrations that convey the essentials of your privacy parameters, with a link to detailed explanations.
- You should still post a privacy policy even if you do not collect personal information.
- Ensure that your privacy policy is easily accessible from your home page or home screen.
- Though the information it contains should be presented as concisely as possible, your privacy policy can also be used to share any other specifications about user information. For example:
- Though metadata do not qualify as personal information, you can include an explanation of how you use them.
- Indicate whether your platform allows children to make information publicly accessible — a particularly crucial consideration for sites with community features like bulletin boards, forums, chat rooms or text fields to be filled in (e.g. “Describe your character”).
- Explain how users can access the personal information you have about them.
- Periodically check your personal information handling practices to ensure they continue to align with your privacy policy.
- Transparency in personal information practices is a dynamic process that doesn’t stop once the privacy policy has been posted. Update your policy as needed.
- Include the date of the most recent update at the end of the policy.
- Find ways of informing users of any updates to your privacy policy.
***MOBILE***
- For ease of reading on the small screen, draft your policy using a layered or “tiered” approach, stating the most essential information up front with links leading to the specifics.
